tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Eggers <its_toas...@yahoo.com.INVALID>
Subject Re: Sporadic HTTP 403 returned by Tomcat when this should not happen ever. How to find out why this happens?
Date Fri, 06 Feb 2015 16:58:54 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2/6/2015 2:21 AM, Brian wrote:
> Hello Mark,
> 
> 1- No authentication at all, since the user authenticates sending a
> parameter in the query string.
> 
> 2- I have two filters:
> "org.tuckey.web.filters.urlrewrite.UrlRewriteFilter" (which has
> been working fine for years now) and.... CORS, yes!!! Actually, the
> CORS filter (org.apache.catalina.filters.CorsFilter) is the first
> filter in my web.xml file, so it is the first to run. This is the
> way I have configured it:
> 
> <filter> <filter-name>CorsFilter</filter-name> 
> <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
>
> 
<init-param>
> <param-name>cors.allowed.origins</param-name> 
> <param-value>*</param-value> </init-param> <init-param> 
> <param-name>cors.support.credentials</param-name> 
> <param-value>false</param-value> </init-param> </filter> 
> <filter-mapping> <filter-name>CorsFilter</filter-name> 
> <url-pattern>/*</url-pattern> </filter-mapping>
> 
> I added the CORS filter probably two months ago, and probably I
> have started seen the 403 errors since then, yes! And now that I
> think about it, probably it is the CORS filter the reason of the
> 403 indeed, since my API is being called not only from servers but
> also from Javascript running in all kind of browsers and maybe some
> of them don't deal with CORS properly. That would explain why the
> 403s happens ocasionally. In fact, I see this 403 ocurring in most
> of the cases by one specific user (authenticated by a parameter in
> the query string) that calls my API from javacript!
> 
> In what conditions does this filter return a 403 error? What are
> the Headers involved when that happens? How can I avoid this
> problem? Where (on the internet) can I learn more about this
> specific problem?

CORS basically doesn't with Internet Explorer < 10.

IE < 8, and CORS does not work at all.
IE 8 - Microsoft has a 'special mechanism' for CORS
IE 9 - Microsoft breaks the 'special mechanism'
IE 10 - Microsoft tells people to use CORS

http://blogs.msdn.com/b/ieinternals/archive/2010/05/13/xdomainrequest-restrictions-limitations-and-workarounds.aspx

. . . been there, fought that
/mde/

> 
> Thanks Mark!
> 
> 
> 
>> -----Original Message----- From: Mark Thomas
>> [mailto:markt@apache.org] Sent: viernes, 06 de febrero de 2015
>> 04:47 a.m. To: Tomcat Users List Subject: Re: Sporadic HTTP 403
>> returned by Tomcat when this should not happen ever. How to find
>> out why this happens?
>> 
>> On 05/02/2015 23:14, Brian wrote:
>>> Hello David,
>>> 
>>> Not, it is not the case. No exceptions whatsoever. And about
>>> 1/100 (or less) of
>> the requests return a 403 to the users, and all those requests
>> are doing the same thing.
>>> Thanks a lot for your help!
>> 
>> Is any authentication configured for this web application?
>> 
>> What filters are configured (the CORS filter might return a 403
>> for example)?
>> 
>> Mark

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBAgAGBQJU1PLOAAoJEEFGbsYNeTwtg18H/j1yQF3474DOj7aqlV6coukt
IHzxkKPADyxEZ/CeAlJrV/E/dGkhk4CI4hYsnYogzRZi0RNyf6ibiwCIS+nClYqD
XqsuLrgVfULgqoo2C2rqRhVXgE6PruVv3C+Sw6PfqXLzVziNZANKaUEKUyzHdbfB
CFc8pbPKdZ/cCUYB46FNfw0xH//3v05xs9lxB88GDzmpa1ByDKggyG8t8KDO8BN3
skyr/36yaE/Xecr6bpTserOQQu+2IWH+H386ucZr0WMWGxL4rYCZLOyQK57RzJFk
regMSEgHZmKxluiEwf09VrgZD+crjN1MRI+eiYigQ5VxgQNliFIhluR58I8euxc=
=c7fL
-----END PGP SIGNATURE-----

---
This email is free from viruses and malware because avast! Antivirus protection is active.
http://www.avast.com


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message